The Hacker News — Cyber Security, Hacking, Technology News

We use our Smartphone devices to do almost everything, from Internet Banking to Sharing private files and at the same pace, the mobile malware sector is also growing.

The number of variants of malicious software aimed at mobile devices has reportedly risen about 185% in less than a year.

Security researchers have observed a growth in the numbers of computer malware families starting to use TOR-based communications, but recently the Security Researchers at anti-virus firm Kaspersky Lab have spotted the world's first Tor-Based Malware for Android Operating system.

The Android Malware dubbed as 'Backdoor.AndroidOS.Torec.a', using Tor hidden service protocol for stealth communication with Command-and-Control servers.

Researchers detected that the Trojan is running from .OnionTor domain and working on the functionality of an open source Tor client for Android mobile devices, called 'Orbot', thus eliminating the threat of the botnet being detected and blocked by law enforcement authorities, although often it's not clear how many devices has been infected by this malware till now.

The Trojan is capable of intercepting and stealing incoming SMS, can make USSD requests, stealing device information including 'the phone number, country, IMEI, model, version of OS', can retrieve the list of installed applications on the mobile device, and also can send SMSs to a specified number.

Kaspersky didn't mention particularly that the malware is focused on stealing banking information or not, but the popularity of Android OS is kept motivating cyber criminals to develop far more advanced Android malware with more stealthy and anti-reverse methods.

Here are some things you can do to dramatically reduce the risk of malware infections on your Android phone:

Install apps from official Android Market instead of third-party app stores or websites.

TOR is the dark side of the Internet, the so-called dark web, which provides a safe haven to privacy advocates but is also where drugs, child pornography, assassins for hire and other weird and illegal activities can allegedly be traded.

A claimed zero-day vulnerability in Firefox 17 was used by the FBI to identify some users of the privacy-protecting Tor anonymity network. The FBI did not compromise the TOR network itself and The complex multi-layers of encryption still stand. Instead the FBI compromised the TOR browser only using a zero-day JavaScript exploit and used this to implant a cookie which fingerprinted users through a specific external server.

Eric Eoin Marques, 28 year-old man in Ireland believed to be behind Freedom Hosting, the biggest service provider for sites on the encrypted Tor network, is awaiting extradition on child pornography charges. It is understood the FBI had spent a year trying to locate Mr Marques.

Marques was arrested on a Maryland warrant that includes charges of distributing and promoting child porn online. He faced four charges relating to alleged child pornography offenses with a total of 30 years jail, reportedly dubbed by the FBI as “the largest facilitator of child porn on the planet.” That need has been particularly heightened with the many revelations of the US Prism program and other cyber spying initiatives.

Mr Marques told the court he was born in the US but has lived in Ireland since he was five. He said he was last in Romania a few weeks ago when he withdrew €6,000 from his credit card to help a friend start a business.

The Tor Network is a robust tool for journalists, whistleblowers, dissidents and others looking to publish information in a way that is not easily traced back to them. His arrest coincides with mass outages across the Darknet affecting popular services like Tor Mail, HackBB and the Hidden Wiki which were run on Freedom Hosting. Worse, there are reports of many well known TOR hidden services may be compromised using a browser exploit.

“The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect users’ computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We’re investigating these bugs and will fix them if we can.” Andrew Lewman, Tor Project's Executive Director said in a blog post.

Mozilla says it has been notified of a potential security vulnerability in Firefox 17 (MFSA 2013-53) , which is currently the extended support release (ESR) version of Firefox. The Exploit code posted by Mozilla and Deobfuscated JS used by the Tor Browser exploit posted on Google Code.

The malicious Javascript is a tiny Windows executable hidden in a variable named “Magneto”, but the Magneto code doesn’t download anything. It looks up the victim’s MAC address and the victim’s Windows hostname. Then it sends it to the Virginia server, outside of Tor, to expose the user’s real IP address, and coded as a standard HTTP web request.

The FBI appears to have gained access to Freedom Hosting and injected malicious HTML code that checks the visitor’s browser to see if he is using Firefox 17. Some visitors looking at the source code of the maintenance page realized that it included a hidden iframe tag that loaded a mysterious clump of Javascript code from a Verizon Business internet address located in eastern Virginia.

The Openwatch reported that, The execution of malicious JavaScript inside the Tor Browser Bundle, perhaps the most commonly used Tor client, comes as a surprise to many users. Previously, the browser disabled JavaScript execution by default for security purposes, however this change was recently reverted by developers in order to make the product more useful for average internet users. As a result, however, the applications have become vastly more vulnerable to attacks such as this.

The JavaScript code's payload analyzed by reverse engineering and exploit developer Vlad Tsyrklevich, who reveals that it briefly connects to a server and sends the hostname and MAC address of the victim. "Briefly, this payload connects to 65.222.202.54:80and sends it an HTTP request that includes the host name (via gethostname()) and the MAC address of the local host (via calling SendARP on gethostbyname()->h_addr_list). After that it cleans up the state and appears to deliberately crash."

Microsoft used to provide the US government with a an early start on its security vulnerabilities, which was reportedly used to aid its cyber espionage programs. But here no idea at this point, that Mozilla worked with the government in this case.

Of course, this shows how complacency can be a very bad thing, especially when it comes to security. In its attempts to bring down child abuse images, but it could also mean a serious security breach for international activists and internet users living in repressive states who use the services to practice online free speech.

Be sure you're running a recent enough Tor Browser Bundle. That should keep you safe from this attack. Windows users are advised to Update Tor Browser Bundle, version 2.3.25-10 (released June 26 2013), 2.4.15-alpha-1 (released June 26 2013), 2.4.15-beta-1 (released July 8 2013), 3.0alpha2 (released June 30 2013) includes the fix. Consider disabling JavaScript (click the blue"S" beside the green onion, and select "Forbid Scripts Globally"). Disabling JavaScript will reduce your vulnerability to other attacks like this one, but disabling JavaScript will make some websites not work like you expect.

Update: According to Baneki Privacy Labs research, the IP address 65.222.202.53 hardcoded into the exploit belongs to Virginia is actually owned by Science Applications International Corporation (SAIC), a major intelligence, military, aerospace, engineering and systems contractor involved with the Federal Bureau of Investigation (FBI), Defense Advanced Research Projects Agency (DARPA) , Central Intelligence Agency (CIA) and National Security Agency (NSA).

They believe that the hardcoded IP address is directly allocated to the NSA's Autonomous Systems (AS), so its probably not the FBI, its NSA who used Firefox Zero-Day exploit to compromise Freedom Hosting and TOR network.

Tor is a web service that allows users to surf the Internet, use IM, and other services while keeping themselves completely anonymous, but Japan's National Police Agency wants ISPs to block access to Tor if users are found to have abused it.

The push by Japanese authorities is because they’re worried about an inability to tackle cyber crime enabled in part by anonymizing services such as Tor. Japanese police is having a hard time when it comes to crimes in the cyberspace. Just last year a hacker, going by the name Demon Killer, took remote control of systems across the country and posted death threats on public message boards.

The panel claimed it has been used in the past to commit internet fraud, help paedophiles groom kids online and, tellingly, enabled leaks from Tokyo's Metropolitan Police Department.

Tor has proven to be an invaluable tool for pro-democracy campaigners in the Middle East while censorious regimes such as the Chinese authorities have attempted to block users from using the system. Japanese ISPs have not welcomed the recommendation.

The Tor system was utilized by citizens in pro-democracy movements in the Middle East to escape government suppression, while Wikileaks also recommends Tor to information providers.

Activists on the Internet or those living in countries with oppressive regimes use Tor to carry out their online whistle blowing activities anonymously.

One can understand the zeal of the Japanese police to stamp out cyber crime, but someone might have to tell them that they’re going about it the wrong way. Tor is not all the web evil that it is painted to be democratic activists under repressive governments have used it to achieve good effects.